CVE-2023-6782: 
WordPress vulnerability analysis and mitigation

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2023-6782) via the plugin's shortcode(s) in versions up to and including 1.0.92. This vulnerability was discovered due to insufficient input sanitization and output escaping on user supplied attributes (Wordfence Advisory).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode functionality. The CVSS v3.1 base score is 5.4 (Medium) according to NVD assessment with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Wordfence has assigned a slightly higher CVSS score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD Details).

This vulnerability allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to client-side attacks and compromised user interactions (Wordfence Advisory).

Users should update to a patched version of the AMP for WP plugin beyond version 1.0.92. The vulnerability has been addressed through improved input sanitization and output escaping mechanisms (WordPress Plugin).